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-Abstract- 

Security protocols are concurrent processes that communicate using cryptography with the aim 
of achieving various security properties. Recent work on their formal verihcation has brought 
procedures and tools for deciding trace equivalence properties {e.g. anonymity, unlinkability, 
vote secrecy) for a bounded number of sessions. However, these procedures are based on a naive 
symbolic exploration of all traces of the considered processes which, unsurprisingly, greatly limits 
the scalability and practical impact of the verihcation tools. 

In this paper, we overcome this difficulty by developing partial order reduction techniques 
for the verihcation of security protocols. We provide reduced transition systems that optimally 
eliminate redundant traces, and which are adequate for model-checking trace equivalence prop¬ 
erties of protocols by means of symbolic execution. We have implemented our reductions in the 
tool Apte, and demonstrated that it achieves the expected speedup on various protocols. 

[T] Introduction 

Security protocols are concurrent processes that use various cryptographic primitives in 
order to achieve security properties such as secrecy, authentication, anonymity, unlinkability, 
etc. They involve a high level of concurrency and are difficult to analyse by hand. Actually, 
many protocols have been shown to be flawed several years after their publication (and 
deployment). This has lead to a flurry of research on formal verihcation of protocols. 

A successful way of representing protocols is to use variants of the 7r-calculus, whose 
labelled transition systems naturally express how a protocol may interact with a (potentially 
malicious) environment whose knowledge increases as more messages are exchanged over 
the network. Some security properties {e.g., secrecy, authentication) are then described as 
reachability properties, while others {e.g., unlinkability, anonymity) are expressed as trace 
equivalence properties. In order to decide such properties, a reasonable assumption is to 
bound the number of protocol sessions, thereby limiting the length of execution traces. Even 
under this assumption, inhnitely many traces remain, since each input may be fed inhnitely 
many different messages. However, symbolic execution and dedicated constraint solving 
procedures have been devised to provide decision procedures for reachability [mug and, 
more recently, equivalence properties [Ml El]. Unfortunately, the resulting tools, especially 
those for checking equivalence {e.g., Apte uni, Spec [35]). have a very limited practical impact 
because they scale very badly. This is not surprising since they treat concurrency in a very 
naive way, exploring all possible symbolic interleavings of concurrent actions. 

Contributions. We develop partial order reduction (POR) techniques [211 [Z1 HI] for trace 
equivalence checking of security protocols. Our main challenge is to do it in a way that is 
compatible with symbolic execution: we should provide a reduction that is effective when 
messages remain unknown, but leverages information about messages when it is inferred 
by the constraint solver. We achieve this by refining interleaving semantics in two steps, 
gradually eliminating redundant traces. The first refinement, called compression, uses the 
notion of polarity |3] to impose a simple strategy on traces. It does not rely on data 
analysis at all and can easily be used as a replacement for the usual semantics in verification 
algorithms. The second one, called reduction, takes data into account and achieves optimality 
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in eliminating redundant traces. In practice, the reduction step can be implemented in an 
approximated fashion, through an extension of constraint resolution procedures. We have 
done so in the tool Apte, showing that our theoretical results do translate to significant 
practical optimisations. 

Outline. We consider in Section a rich process algebra for representing security protocols. 
It supports arbitrary cryptographic primitives, and even includes a replication operator 
suitable for modelling unbounded numbers of sessions. Thus, we do not restrict to a particular 
fragment for which a decision procedure exists, but show the full scope of our theoretical 
results. We give in Sectionan annotated semantics that will facilitate the next technical 
developments. We then define our compressed semantics in Section and the reduced 
semantics in Section In both sections, we first restrict the transition system, then show 
that the restriction is adequate for checking trace equivalence under some action-determinism 
condition. We finally discuss how these results can be lifted to the symbolic setting in 
Section]^ Specifically, we describe how we have implemented our techniques in Apte, and we 
present experimental results showing that the optimisations are fully effective in practice. 
We discuss related work in Section and conclude in Section Complete proofs are given 
in appendices. 

Model for security protocols 

In this section we introduce our process algebra, which is a variant of the applied 7r-calculus [T] 
that has been designed with the aim of modelling cryptographic protocols. Processes can 
exchange complex messages, represented by terms quotiented by some equational theory. 

One of the key difficulties in the applied 7r-calculus is to model the knowledge of the 
environment, seen as an attacker who listens to network communication and may also inject 
messages. One has to make a distinction between the content of a message (sent by the 
environment) and the way the message has been created (from knowledge available to the 
environment). While the distinction between messages and recipes came from security 
applications, it is naturally of much broader interest, as it gives a precise, intentional content 
to labelled transitions that we exploit to analyse data dependencies. 

We study a process algebra that may seem quite restrictive: we forbid internal commu¬ 
nication and private channels. This is however reasonable when studying security protocols 
faced with the usual omnipotent attacker. In such a setting, we end up considering the 
worst-case scenario where any communication has to be made via the environment. 

2.1 Syntax 

We assume a number of disjoint and infinite sets: a set C of channels^ whose elements are 
denoted by a, b, c; a set A/” of private names or nonces, denoted by n or fc; a set X of variables, 
denoted by x, y, z as usual; and a set W of handles, denoted by w and used for referring to 
previously output terms. Next, we consider a signature E consisting of a finite set of function 
symbols together with their arity. Terms over S, written T{S), are inductively generated 
from S and function symbols from S. When S C J\f, elements of T{S) are called messages. 
When S C W, they are called recipes and written M, N. Intuitively, recipes express how a 
message has been derived by the environment from the messages obtained so far. Finally, we 
consider an equational theory E over terms to assign a meaning to function symbols in S. 

► Example 1. Let S = {enc/2, dec/2, h/1} and E be the equational theory induced by the 
equation Aec{ev\c{x,y),y) = x. Intuitively, the symbols enc and dec represent symmetric 


1^^ (f) I © David Baelde, Stephanie Delaune, and Lucca Hirschi; 

licensed under Creative Commons License CC-BY 




encryption and decryption, whereas h is used to model a hash function. Now, assume that 
the environment knows the key k as well as the ciphertext enc(n,/c), and that these two 
messages are referred to by handles w and w'. The environment may decrypt the ciphertext 
with the key fc, apply the hash function, and encrypt the result using k to get the message 
mo = enc(h(n), fc). This computation is modelled using the recipe Mq = enc(h(dec(r(;', w)), w). 

► Definition 2. Processes are defined by the following syntax where c,a G C, x G X, 
u,v G TiAf U X), and ~c (resp. n) is a sequence of channels from C (resp. names from Af). 

P,Q ::= 0 I (P I Q) I in(c,a;).P | out(c, m).P | if u = u then P else Q | 

The last construct combines replication with channel and name restriction: I'k may be 
read as !(j^'?.out(a, l:).iyn.P) in standard applied 7r-calculus. Our goal with this compound 
construct is to support replication in a way that is not fundamentally incompatible with the 
action-determinism condition which we eventually impose on our processes. This is achieved 
here by advertising on the public channel a any new copy of the replicated process. At the 
same time, we make public the new channels Iz on which the copy may operate — but not 
the new names n. While it may seem restrictive, this style is actually natural for security 
protocols where the attacker knows exactly to whom he is sending a message and from whom 
he is receiving, e.g., via IP addresses. 

We shall only consider ground processes, where each variable is bound by an input. We 
denote by fc(P) and bc(P) the set of free and bound channels of P. 

► Example 3. The process Pq models an agent who sends the ciphertext enc(n, k), and then 
waits for an input on c. In case the input has the expected form, the constant ok is emitted. 

Pg = out(c, enc(n, A:)).in(c, a:).if dec(a:, fc) = h(n) then out(c, ok).0 else 0 
The processes Pg as well as !“„Pc are ground. We have that fc(Po) = {c} and bc(Pg) = 0 
whereas fc(!“„Pg) = {a} and bc(!“„Pg) = {c}. 


2.2 Semantics 


We only consider processes that are normal w.r.t. internal reduction defined as follows: 


if u = V then P else Q P when u =e v 

if u = V then P else Q Q when u v 

(Pi I P2) I P3 ^ Pi I (P2 I P3) 


P I Q 
Q I P 
P I 0 P 


Q Ip’ } 

0 I P -w p 


Any process in normal form built from parallel composition can be uniquely written as 
Pi I {P2 I (• ■ • I Pn)) with n >2, which we note where each process Pi is neither a 

parallel composition nor the process 0. 

We now define our labelled transition system. It deals with configurations (denoted 
by A, B) which are pairs (Pi^) where P is a multiset of ground processes and $, called 
the frame, is a substitution mapping handles to messages that have been made available to 
the environment. Given a configuration A, ‘I’(A) denotes its second component. Given a 


frame dom(<i)) denotes its domain. 


In 

({in(c, x).Q} W P; d>) {{Q{M^/x}} W P; $) 

M G T(dom(<i))) 

Out 

({out(c, u).Q) l±l P; $) ({Q} i±i P; $ u {re hA 

u}) w G W fresh 

Repl 

({l*^ ifP} l±l P; d>) ({P; l-h ^P} l±l P; $) 

c, n fresh 

Par 

({n^LiPj W P; ^ ({Pi,..., P„} a P; $) 


Zero 

({0}aP;d>) -4 (P;$) 
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Rule In expresses that an input process may receive any message that the environment 
can derive from the current frame. In rule Out, the frame is enriched with a new message. 
The last two rules simply translate the parallel structure of processes into the multiset 
structure of the configuration. As explained above, rule Repl combines the replication of a 
process together with the creation of new channels and nonces. The channels cT are implicitly 
made public, but the newly created names n remain private. Remark that channels If 
and names n must be fresh, i.e., they do not appear free in the original configuration. As 
usual, freshness conditions do not block executions: it is always possible to rename bound 
channels cT and names n of a process before applying Repl. We denote by bc(tr) 

the bound channels of a trace tr, i.e., all the channels that occur in second argument of an 
action sess(a, If) in tr, and we consider traces where channels are bound at most once. 


► Example 4. Going back to Example with <I>o = {wi i— t k}, we have that: 

({!“„Po};^o) ly(uMo)^ ({out(c,ok).0;!“„Po};^) 

where 4 ) = {rci i-t fc, W2 enc(n, k)} and Mq = enc(h(dec(w2, wi)), wi). 


2.3 Equivalences 

We are concerned with trace equivalence, which is used laiiz] to model anonymity, un¬ 
traceability, strong secrecy, etc. Finer behavioural equivalences, e.g., weak bisimulation, 
appear to be too strong with respect to what an attacker can really observe. Intuitively, two 
configurations are trace equivalent if the attacker cannot tell whether he is interacting with 
one or the other. To make this formal, we introduce a notion of equivalence between frames. 

► Definition 5. Two frames 4> and are in static equivalence, written ~ <!>', when 

dom($) = dom(4''), and: =e =e N^' for any terms M,N G T(dom(4))). 

► Example 6. Continuing Example]^ consider <!>' = {wi ^ k' ,W2 >->■ enc(n, A:)}. The test 
enc(dec(w 2 , wi), wi) = W 2 is true in 4) but not in 4)', thus 4) / 4)'. 

We then define obs(tr) to be the subsequence of tr obtained by erasing r actions. 

► Definition 7. Let A and B be two configurations. We say that A B when, for any 
A ^ A' such that bc(tr) n fc(P) = 0, there exists B B' such that obs(tr) = obs(tr') and 
4)(A') ^ 4)(P'). They are trace equivalent, written A^ B, when AQ B and B Q A. 

In order to lift our optimised semantics to trace equivalence, we will require configurations 
to be action-deterministic. This common assumption in POR techniques [7] is also reasonable 
in the context of security protocols, where the attacker knows with whom he is communicating. 

► Definition 8. A configuration A is action-deterministic if whenever A (P; 4>), and P, Q 
are two elements of P, we have that P and Q cannot perform an observable action of the 
same nature (in, out, or sess) on the same channel (i.e., if both actions are of same nature, 
their first argument has to differ). 

Annotated semantics 

We shall now define an intermediate semantics whose transitions are equipped with more 
informative actions. The annotated actions will notably feature labels £ G N* indicating from 
which concurrent processes they originate. A labelled action will be written [a]^ where a is 
an action and is a label. Similarly, a labelled process will be written [P]^. When reasoning 
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a G {in(_,_);out(_,_)} 


({P} W P; ^ ({P'j W P; $') 

In/Out ({[P]^} W P; «>) ^') 

Repl ({[l-^.^Poin^^;^) ({[Po]^-i,[!<^^^Po]^- 2 }a 7 .;ci>) ^,7r fresh 

Par ({[n"^iP,]^}WP;<i>) ({[P.(i)]''\...,[P.(„)]^-"}W^;‘J>) 

CTi = sk(Pi) and tt is a permutation over [1, ...n] such that cr^(i) < • ■ • < cr^(r!,) 

Zero ({ [0]^} W P; $) (P; $) 

Figure 1 Annotated semantics 


about trace equivalence between two configurations, it will be crucial to maintain a consistent 
labelling between configurations along the execution. In order to do so, we define skeletons 
of observable actions, which are of the form inc, outc or !“ where a,c £ C, and we assume 
a total ordering over those skeletons, denoted < with < its reflexive closure. Any process 
that is neither 0 nor a parallel composition induces a skeleton corresponding to its toplevel 
connective, and we denote it by sk(P). 

We define in Figure the annotated semantics -^a over configurations whose processes 
are labelled. In Par, note that sk(Pi) is well defined as Pi cannot be a zero or a parallel 
composition. Also note that the label of an action is always that of the active process in 
that transition. More importantly, the annotated transition system does not restrict the 
executions of a process but simply annotates them with labels, and replaces r actions by 
more descriptive actions. 

We now define how to extract sequential dependencies from labels, which will allow us to 
analyse concurrency in a trace without referring to configurations. 

► Definition 9. Two labels are dependent if one is a prefix of the other. We say that the 
labelled actions a and P are sequentially dependent when their labels are dependent, and 
recipe dependent when {a,P} = {[in(c, M)]^, [out(c', w)]^ } with w occurring in M. They 
are dependent when they are either sequentially or recipe dependent. Otherwise, they are 
independent. 

► Definition 10. A configuration (P; $) is well labelled if P is a multiset of labelled processes 
such that two elements of P have independent labels. 

Obviously, any unlabelled configuration may be well labelled. Further, it is easy to see 
that well labelling is preserved by —Thus, we shall implicitly assume to be working with 
well labelled configurations in the rest of the paper. Under this assumption, we obtain the 
following fundamental lemma. 

► Lemma 11. Let A be a (well labelled) configuration, a and P be two independent labelled 

actions. We have A -^A-a A' if, and only if, A A'. 

3.0.0.1 Symmetries of trace equivalence. 

We will see that, when checking Apc B for action-deterministic configurations, it is sound to 
require that B can perform all traces of A in the annotated semantics (and the converse). 
In other words, labels and detailed non-observable actions zero and pax((Ti... dn) are 
actually relevant for trace equivalence. Obviously, this can only hold if A and B are labelled 


i^cc^ I © David Baelde, Stephanie Delaune, and Lucca Hirschi; 

licensed under Creative Commons License CC-BY 









consistently. In order to express this, we extend sk(P) to parallel and zero processes: we 
let their skeletons be the associated action in the annotated semantics. Next, we define 
the labelled skeletons by skl([P]^) = [sk(P)]^. When checking for equivalence of A and B, 
we shall assume that skl(A) = skl(B), i.e., the configurations have the same set of labelled 
skeletons. This technical condition is obviously not restrictive in practice. 


► Example 12. Let A = ({[in(a,a:).((out(6,m).Pi) | ^ 2 )]°};^!’) with Pi = in(c, ?/).0 and 
P2 = in((i, z).0, and B the configuration obtained from A by swapping Pi and P 2 - We have 
skl(24) = skl(i3) = {[ina]°}. Consider the following trace: 

tr = [in(a, ok)]°.[par({outt,; ind})]°.[out(6, ?ii)]°'^.[in(c, w)]°'^.[in((i, 

Assuming out^ < in^ and ok G E, we have A A!. However, there is no B' such that 
B B' , for two reasons. First, B cannot perform the second action since skeletons of 
sub-processes of its parallel composition are {out;,; inc}. Second, even if we ignored that 
mismatch on a non-observable action, B would not be able to perform the action in(c, w) 
with the right label. Such mismatches can actually be systematically used to show At^ B, 
as shown next. 


► Lemma 13. Let A and B be two action-deterministic configurations such that Apc B and 
skl(A) = skl(i3). For any execution 

with bc(Q;i.... an) H fc(B) = 0, there exists an execution 

^ ta i^l ^ ^ 


such that ~ ^{Bi) and skl(Ai) = skl(i3i) for any 1 < i < n. 


Compression 

Our first refinement of the semantics, which we call compression, is closely related to focusing 
from proof theory |3]: we will assign a polarity to processes and constrain the shape of 
executed traces based on those polarities. This will provide a first significant reduction of 
the number of traces to consider when checking reachability-based properties such as secrecy, 
and more importantly, equivalence-based properties in the action-deterministic case. 

► Definition 14. A process P is positive if it is of the form ±tl(c,x).Q, and it is negative 
otherwise. A multiset of processes P is initial if it contains only positive or replicated 
processes, i.e., of the form !'L 

The compressed semantics (see Figure is built upon the annotated semantics. It 
constrains the traces to follow a particular strategy, alternating between negative and positive 
phases. It uses enriched configurations of the form (7^;F;<I>) where (7^; 4>) is a labelled 
configuration and F is either a process (signalling which process is under focus in the positive 
phase) or 0 (in the negative phase). The negative phase lasts until the configuration is 
initial {i.e., unfocused with an initial underlying multiset of processes) and in that phase 
we perform actions that decompose negative non-replicated processes. This is done using 
the Neg rule, in a completely deterministic way. When the configuration becomes initial, a 
positive phase starts: we choose one process and start executing the actions of that process 
(only inputs, possibly preceded by a new session) without the ability to switch to another 
process of the multiset, until a negative subprocess is released and we go back to the negative 
phase. The active process in the positive phase is said to be under focus. Between any 
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V is initial (P; $) (p'; $) 

Start/In (P tel {P}; 0; (p. p^. 

P is initial (!“^,^P; $) ({i-^^^P; q}; $) 


Start/! 

Pos/lN 

Neg 

Release 


(P W {!“^,^P}; 0; $) (p y {!‘^_^p}; Q- $) 

(P;Cj,) (pL^) 


(P;P;cj,) (P;P';<i>) 


(P;<i>) (P';<i>') 


(P W {P}; 0; $) {V W P'; 0; $') 

el] 


G {par(_), zero, out(_,_)} 


(P; [P]^; $) - - > e (P a {[P]^}; 0; «>) when P is negative 


Labels are implicitly set in the same way as in the annotated semantics. Neg is made 
non-branching by imposing an arbitrary order on labelled skeletons of available actions. 


M Figure 2 Compressed semantics 


two initial configurations, the compressed semantics executes a sequence of actions, called 
blocks, of the form foc(a).tr’*’.rel.tr“ where tr+ is a (possibly empty) sequence of input 
actions, whereas tr~ is a (possibly empty) sequence of out, par, and zero actions. Note 
that, except for the choice of recipes, the compressed semantics is completely non-branching 
when executing a block. It may branch only when choosing which block to execute. 


4.1 Reachability 

We now formalise the relationship between traces of the compressed and annotated semantics. 
In order to do so, we translate between configuration and enriched configuration as follows: 

r(P;d>)l =(P;0;d>), = (V;^) and [(P; P; <!>))= (P W {P}; d>). 

Similarly, we map compressed traces to annotated ones: 

[ej = e, [foc(Q;).trJ = a.[trj, [rel.trj = [trj and [a.trj = a.[trj otherwise. 

We observe that we can map any execution in the compressed semantics to an execution 
in the annotated semantics. Indeed, a compressed execution is simply an annotated execution 
with some annotations {i.e., foe and rel) indicating the start of a positive/negative phase. 


► Lemma 15. For any configurations A, A' and tr, A A' implies [AJ 


LtrJ, 


LA'J. 


Going in the opposite direction is more involved. In general, mapping annotated executions 
to compressed ones requires to reorder actions. Compressed executions also force negative 
actions to be performed unconditionally, which we compensate by considering complete 
executions of a configuration, i.e., executions after which no more action can be performed 
except possibly the ones that consist in unfolding a replication {i.e., rule Repl). Inspired by 
the positive trunk argument of m, we show the following lemma. 

► Lemma 16. Let A, A' be two configurations and tr be such that A A' is complete. 
There exists a trace tre, such that [trej can be obtained from tr by swapping independent 
labelled actions, and [A] \A'^. 
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Proof sketch. We proceed by induction on the length of a complete execution starting from A. 
If A is not initial, then we need to execute some negative action using Neg: this action 
must be present somewhere in the complete execution, and we can permute it with preceding 
actions using Lemma [g If A is initial, we analyse the prefix of input and session actions 
and we extract a subsequence of that prefix that corresponds to a full positive phase. ◄ 


4.2 Equivalence 

We now define compressed trace equivalence (~c) and prove that it coincides with 

► Definition 17. Let A and B be two configurations. We say that AQc B when, for any 
A such that bc(tr) nfc(i?) = 0 , there exists B -^b-c B' such that $(A') ~ ^{B'). They 

are compressed trace equivalent, denoted A B, \i A\—c B and B A. 

Compressed trace equivalence can be more efficiently checked than regular trace equi¬ 
valence. Obviously, it explores less interleavings by relying on —rather than —>•. It also 
requires that traces of one process can be played exactly by the other, including details 
such as non-observable actions, labels, and focusing annotations. The subtleties shown 
in Example |12| are crucial for the completeness of compressed equivalence w.r.t. regular 
equivalence. Since the compressed semantics forces to perform available outputs before e.g. 
input actions, some non-equivalences are only detected thanks to the labels and detailed 
non-observable actions of our annotated semantics. 


► Theorem 18. Let A and B be two action-deterministic configurations with skl(A) = skl(i3). 
We have A^e B if, and only if, [Al Wc [^1 • 


Proof sketch. (=>) Consider an execution A'. Using Lemma 15 we get A L^^J- 

Then, Lemma [T^ yields B B' for some B' such that <I>([A'J) ~ and labelled 

skeletons are equal all along the executions. Relying on those skeletons, we show that 
positive/negative phases are synchronised, and thus \Bd\ -^bc B" for some B" with \ B"\ = B'. 
(<;=) Consider an execution A A'. We first observe that it suffices to consider only complete 
executions there. This allows us to get a compressed execution [A] 

Since [A] there exists B' such that [R] 

have B [R'J but also B [R'J thanks to Lemma 11 


I"A'] by Lemma 16 


B' with d-([y4']) 


$(R'). Thus we 


Improper blocks. Note that blocks of the form foc(a).tr+.rel.zero do not bring any new 
information to the attacker. While it would be incorrect to fully ignore such improper blocks, 
we can show that it is sufficient to consider them at the end of traces. We can thus consider 
a further optimised compressed trace equivalence that only checks for proper traces, i.e., ones 
that have at most one improper block and only at the end of trace. We have also shown that 
this optimised compressed trace equivalence actually coincides with «c- 


Reduction 

Our compressed semantics cuts down interleavings by using a simple focused strategy. 
However, this semantics does not analyse data dependency that happen when an input 
depends on an output, and is thus unable to exploit the independency of blocks to reduce 
interleavings. We tackle this problem now. 

► Definition 19. Two blocks bi and 62 are independent, written bi || 62 , when all labelled 
actions ai G 61 and 02 G ^2 are independent. Otherwise they are dependent, written bi ^ 62 . 
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Obviously, Lemma tells us that independent blocks can be permuted in a trace without 
affecting the executability and the result of executing that trace. But this notion is not very 
strong since it considers fixed recipes, which are irrelevant (in the end, only the derived 
messages matter) and can easily introduce spurious dependencies. Thus we define a stronger 
notion of equivalence over traces, which allows permutations of independent blocks but also 
changes of recipes that preserve messages. During these permutations, we will also require 
that traces remain plausible, which is defined as follows: tr is plausible if for any input 
in(c, M) such that tr = tro.in(c, M).tr2 then M € T{W) where W is the set of all handles 
occurring in trp. Given a block b, i.e. a sequence of the form foc(a).tr+.rel.tr“, we denote 
by 6 + (resp. b~) the part of b corresponding to the positive (resp. negative) phase, i.e., 
&+ = a.tr+ (resp. b~ = tr~). We note (6i =e 62)d) when =e b^^ and 6)" = 

► Definition 20. Given a frame $, the relation =$ is the smallest equivalence over plausible 
compressed traces such that tr.61.62.tr' =$ tr.62.61.tr' when 61 || 62, and tr.6i.tr' =$ tr.62.tr' 
when (61 =E 62)^). 

► Lemma 21. Let A and A! be two initial configurations such that A A'. We have that 

A -t4c A! for any tr' tr. 

We now turn to defining our reduced semantics, which is going to avoid the redundancies 
identified above by only executing specific representatives in equivalence classes modulo =$. 
More precisely, we shall only execute minimal traces according to some order, which we now 
introduce. We assume an order ^ on blocks that is insensitive to recipes, and such that 
independent blocks are always strictly ordered in one way or the other. We finally define ^lex 
on compressed traces as the lexicographic extension of -< on blocks. 

In order to incrementally build representatives that are minimal with respect to -<iex, 
we define a predicate that expresses whether a block 6 should be authorised after a given 
trace tr. Intuitively, this is the case only when, for any block 6' 6 in tr, dependencies forbid 

to swap 6 and 6 '. We define this with recipe dependencies first, then quantify over all recipes 
to capture message dependencies. 

► Definition 22. A block 6 is authorised after tr, noted tr [> 6, when tr = e; or tr = tro.6o and 
either (i) b ^ bo or (ii) 6 || 60 , 69 ^ 6 , and tro > 6 . 

We finally define -^r as the least relation such that: 

INIT Block A (iP; 0; d>) 4 c A' if tr > 6'for all 6' 

A-^rA A A' with (6' =E 6)d> 

Our reduced semantics only applies to initial configurations: otherwise, no block can be 
performed. This is not restrictive since we can, without loss of generality, pre-execute 
non-observable and output actions that may occur at top level. 


5.1 Reachability 

An easy induction on the compressed trace tr allows us to map an execution w.r.t. the 
reduced semantics to an execution w.r.t. the compressed semantics. 

► Lemma 23. For any configurations A and A', A A' implies A -4c A'. 
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Next, we show that our reduced semantics only explores specific representatives. Given a 
frame d>, a plausible trace tr is d>-minimal if it is minimaQin its equivalence class modulo 
=$. 

► Lemma 24. Let A be an initial configuration and A' = (V; 0;^) be a configuration such 
that A A'. We have that tr is ^-minimal if, and only if, A ^■ 

Proof sketch. In order to relate minimality and executability in the reduced semantics, let us 
say that a trace is bad if it is of the form tr.5o ... 6„.6'.tr' where n > 0, there exists a block b” 
such that (b" =e b')^, we have bi || b" for all i, and bi -< b" -< bo for all i > 0. This pattern 
is directly inspired by the characterisation of lexicographic normal forms by Anisimov and 
Knuth in trace monoids [ 1 ] . We note that a trace that can be executed in the compressed 
semantics can also be executed in the reduced semantics if, and only if, it is not bad. Since 
the badness of a trace allows to swap b' before bo, and thus obtain a smaller trace in the 
class =$, we show that a bad trace cannot be <i)-minimal (and conversely). ◄ 


5.2 Equivalence 


The reduced semantics induces an equivalence that we define similarly to the compressed 
one, and we then establish its soundness and completeness w.r.t. «c- 

► Definition 25. Let A and B be two configurations. We say that AQ^B when, for every 
A A' such that bc(tr) n fc(i?) = 0, there exists B -^br- B' such that <h(A') ~ $(5'). 
They are reduced trace equivalent, denoted A B, ii A B and B C,, A. 


► Theorem 26. Let A and B be two initial, action-deterministic configurations. 

A Kic B if, and only if, A B 


Proof sketch. We first prove that tr =$ tr' iff tr tr' when $ ~ dr. (=^) This implication is 

(<;=) We start by showing that it suffices to consider 
Since A! is initial, by taking tr^ to be a $(A')-minimal trace 


then an easy consequence of Lemma 24 
a complete execution A — 


A' 


associated to tr, we obtain a reduced execution of A leading to A’. Using our hypothesis 
A Kir B, we obtain that B B' with corresponding relations over frames. We finally 
conclude that B -fbc B' using Lemma 21 and the result stated above. ◄ 


Improper blocks. Similarly as we did for the compressed semantics in Section we can 
further restrict to only check proper traces (see Appendix [d| . 
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Application 


We have developed two successive refinements of the concrete semantics of our process algebra, 
eventually obtaining a reduced semantics that achieves an optimal elimination of redundant 
interleavings. However, the practical usability of these semantics in algorithms for checking 
the equivalence of replication-free processes is far from immediate: indeed, all of our semantics 
are still infinitely branching, because each input may be fed with arbitrary messages. We 
now discuss how existing decision procedures based on symbolic execution ng [Ml iMl HI] 
can be modified to decide our optimised equivalences rather than the regular one, before 
presenting our implementation and experimental results. 


^ Note that minimal traces are not unique, since only labelled skeletons are taken into account when 
comparing actions. However, the redundancy induced by the choice of recipes is not a concern in 
practice as it does not arise with the current constraint-based techniques for deciding trace equivalence. 
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6.1 Symbolic execution 


Our compressed semantics can easily be used as a replacement of the regular one, in any 
tool whose algorithm is based on a forward exploration of the set of possible traces. This 
modification is very lightweight, and already brings a significant optimisation. In order to 
make use of our final, reduced semantics, we need to enter into the details of constraint 
solving. In addition to imposing the compressed strategy, symbolic execution should be 
modified to generate dependency constraints in order to reflect the data dependencies imposed 
by our predicate tr > b. Actually, the generation of dependency constraints can be done in a 
similar way as shown in (even if the class of processes considered in [5] is more restrictive). 
We simply illustrate the effect of these dependency constraints on a simple example. 


► Example 27. We consider roles Ri := in(ci,x).if x = ok then out(cj,ok) where ok is a 
public constant, and then consider a parallel composition of n such processes: := 

Thanks to compression, we will only consider traces made of blocks, and obtained a first 
exponential reduction of the state space. Now, assume that our order prioritizes blocks on 
w.r.t. those on Cj when i < j, and consider a trace starting with in(cj, •).out(cj, Wj). Trying 
to continue the exploration with an input action on Ci with i < j, the dependency constraint 
added will impose that the recipe Ri used to feed the input on Ci makes use of the previous 
output to derive ok. Actually, this dependency constraint will impose more than that. Indeed, 
imposing that Ri has to use Wj is not very restrictive since in this example there are many 
ways to rely on Wj to derive ok, e.g. Ri = dec(enc{ok, Wj),Wj) or even Ri = wj. 

Actually, according to our reduced semantics, this step will be possible only if the message 
stored in Wj is mandatory to derive the message expected in input on channel Ci. In this 
example, the conditional imposes that the recipe Ri leads to the message ok (at least to 
pursue in the then branch), and even if there are many ways to derive ok, in any case the 
content of Wj is not mandatory for that. Thus, on this simple example, all the traces where 
the action in(cj, •) is performed after the block on Cj with i < j will not be explored thanks 
to our reduction technique. 


The constraint solver is then modified in a non-invasive way: dependency constraints 
are used to dismiss configurations when it becomes obvious that they cannot be satisfied. 
The modified verification algorithm may explore symbolic traces that do not correspond to 
<I>-minimal representatives (when dependency constraints cannot be shown to be infeasible) 
but we will see that this approach allows us to obtain a very effective optimisation. Note that, 
because we may over-approximate dependency constraints, we must ensure that constraint 
resolution prunes executions in a symmetrical fashion for both processes being checked for 
equivalence. 

► Remark. A subtle point about compression is that it actually enhances reduction in a 
symbolic setting. Consider the process P — in(c,x).out(c,ni).out(c, 712 ) in parallel with 
Q — in(c',x). If ^ gives priority to Q, then Q can only be scheduled after P if its input 
message requires the knowledge of one of the nonces ni and n 2 revealed by P. Thus we 
have two symbolic interleavings, one of which is subject to a dependency constraint. Now, 
we could have applied the ideas of reduction directly on actions rather than blocks but we 
would have obtained three symbolic interleavings, reflecting the fact that if the input on c' 
depends on only the first output nonce, it should be scheduled before the second output. 
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6.2 Experimental results 


The optimisations developed in the present paper have been implemented, following the 
above approach, in the official version of the state of the art tool Apte m- We now report 
on experimental results; sources and instructions for reproduction are available [25] . We only 
show examples in which equivalence holds, because the time spent on inequivalent processes 
is too sensitive to the order in which the (depth-first) exploration is performed. 


Toy example. We consider again our simple example described in Section [6.1[ We ran Apte 
on Pn « Pn for n = 1 to 22, on a single 2.67GHz Xeon core (memory is not relevant). We 
performed our tests on the reference version and the versions optimised with the compressed 
and reduced semantics respectively. The results are shown on the left graph of Figure 
in logarithmic scale: it confirms that each optimisation brings an exponential speedup, as 
predicted by our theoretical analysis. 
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3 Impact of optimisations on toy example (left) and Denning-Sacco (right). 


Denning-Sacco protocol. We ran a similar benchmark, checking that Denning-Sacco ensures 
strong secrecy in various scenarios. The protocol has three roles and we added processes 
playing those roles in turn, starting with three processes in parallel. The results are plotted 
on Figure]^ The fact that we add one role out of three at each step explains the irregular 
growth in verification time. We still observe an exponential speedup for each optimisation. 

Practical impact. Finally, we illustrate how our optimisations make Apte much more useful 
in practice for investigating interesting scenarios. Verifying a single session of a protocol 
brings little assurance into its security. In order to detect replay attacks and to allow the 
attacker to compare messages that are exchanged, at least two sessions should be considered. 
This means having at least four parallel processes for two-party protocols, and six when 
a trusted third party is involved. This is actually beyond what the unoptimised Apte can 
handle in a reasonable amount of time. We show below how many parallel processes could 
be handled in 20 hours by the different versions of Apte on various use cases of protocols. 
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[Y] Related Work 

The techniques we have presented borrow from standard ideas from concurrency theory, 
trace theory and, perhaps more surprisingly, proof theory. Blending all these ingredients. 
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and adapting them to the demanding framework of security protocols, we have come up 
with partial order reduction techniques that can effectively be used in symbolic verification 
algorithms for equivalence properties of security protocols. We now discuss related work, and 
there is a lot of it given the huge success of POR techniques in various application areas. We 
shall focus on the novel aspects of our approach, and explain why such techniques have not 
been needed outside of security protocol analysis. These observations are not new: as pointed 
out by Baier and Katoen [7], “[POR] is mainly appropriate to control-intensive applications 
and less suited for data-intensive applications”; Clarke et al. na also remark that “In the 
domain of model checking of reactive systems, there are numerous techniques for reducing 
the state space of the system. One such technique is partial-order reduction. This technique 
does not directly apply to [security protocol analysis] because we explicitly keep track of 
knowledge of various agents, and our logic can refer to this knowledge in a meaningful way.” 

We first compare our work with classical POR techniques. Then, we discuss more 
specifically previous works that use POR in a symbolic execution setting, and comment on 
previous work in the domain of security protocol analysis. We conclude the section with some 
remarks on the relationship between our optimized semantics and focused proof systems. 


7.1 Classical POR 

Partial order reduction techniques have proved very useful in the domain of model checking 
concurrent programs. Given a Labelled Transition System (LTS) and some property to 
check {e.g., a Linear Temporal Logic formula), the basic idea of POR [211 [211 C] is to 
only consider a reduced version of the given LTS whose enable transitions of some states 
might be not exhaustive but are such that this transformation does not affect the property. 
POR techniques can be categorized in two groups m- First, the persistent set techniques 
[e.g.,stubborn sets, ample sets) where only a sufficiently representative subset of available 
transitions is explored. Second, sleep set techniques memoize past exploration and use this 
information along with available transitions to disable some provably redundant transitions. 
Note that these two kinds of techniques are compatible, and are indeed often combined to 
obtain better reductions. Theoretical POR techniques apply to transition systems which 
may not be explicitly available in practice, or whose explicit computation may be too costly. 
In such cases, POR is often applied to an approximation of the LTS that is obtained through 
static analysis. Another, more recent approach is to use dynamic POR [221 [211H] where the 
POR arguments are applied based on information that is obtained during the execution of 
the system. 

Clearly, classical POR techniques would apply to our concrete LTS, but that would not 
be practically useful since this LTS is wildly infinite, taking into account all recipes that 
the attacker could build. Applying most classical POR techniques to the LTS from which 
data would have been abstracted away would be ineffective: any input would be dependent 
with any output (since the attacker’s knowledge, increased by the output, may enable new 
input messages). Our compression technique lies between these two extremes. It exploits a 
semi-commutation property: outputs can be permuted before inputs, but not the converse in 
general. Further, it exploits the fact that inputs do not increase the attacker’s knowledge, 
and can thus be executed in a chained fashion, under focus. The semi-commutation is 
reminiscent of the asymmetrical dependency analysis enabled by the conditional stubborn set 
technique m, and the execution of inputs under focus may be explained by means of sleep 
sets. While it may be possible to formally derive our compressed semantics by instantiating 
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abstract POR techniques to our setting, we have not explored this possibility in detaiQ 
As mentioned earlier, the compressed semantics is inspired from another technique, namely 
focusing |3] from proof theory. Concerning our reduced semantics, it may be seen as an 
application of the sleep set technique (or even as a reformulation of Anisimov’s and Knuth’s 
characterization of lexicographic normal forms) but the real contribution with this technique 
is to have formulated it in such a way that it can be implemented without requiring an a 
priori knowledge of data dependencies: it allows us to eliminate redundant traces on-the-fly 
as data (in)dependency is discovered by the constraint resolution procedure (more on this in 
the next sections) — in this sense, it may be viewed as a case of dynamic POR. 

Narrowing the discussion a bit more, we now focus on the fact that our techniques 
are designed for the verification of equivalence properties. This requirement turns several 
seemingly trivial observations into subtle technical problems. For instance, ideas akin to 
compression are often applied without justification {e.g., in [S^JEHISS]) because they are 
obvious when one does reachability rather than equivalence checking. To understand this, it 
is important to distinguish between two very different ways of applying POR to equivalence 
checking (independently of the precise equivalence under consideration). The first approach is 
to reduce a system such that the reduced system and the original systems are equivalent. In 
the second approach, one only requires that two reduced systems are equivalent iff the original 
systems are equivalent. The first approach seems to be more common in the POR litterature 
(where one finds, e.g., reductions that preserve LTL-satisfiability [7] or bisimilarity |2B] 1 
though there are instances of the second approach {e.g., for Petri nets m)- In the present 
work, we follow the second approach: neither of our two reduction techniques preserves 
trace equivalence. This allows stronger reductions but requires extra care: one has to ensure 
that the independencies used in the reduction of one process are also meaningful for the 
other processes; in other words, reduction has to be symmetrical. This is the purpose of 
our annotated semantics and its “strong symmetry lemma” (Lemma |13[ ) but also, for the 
reduced semantics, of Lemma [2^ and Proposition [H] We come back to these two different 
approaches later, when discussing specific POR techniques for security. 

7.2 Infinite data and symbolic execution 

Symbolic execution is often used to verify systems dealing with infinite data, e.g., recipes and 
messages in security; integers, list, etc. in program verification. In many works combining 
POR and symbolic executions {e.g., miMlini]) the detection of redundant explorations 
does not rely on the data, and can thus be done trivially at the level of symbolic executions. 
In such cases, POR and symbolic execution are orthogonal. For instance, in [32], two actions 
are data-dependent if one actions is a send action of some message m to some process p 
and the other is a receive action of process p. This is done independently of m, which is 
meaningful when one considers internal reduction (as is the case that work) but would be too 
coarse when one considers labelled transitions representing interactions with an environment 
that may construct arbitrary recipes from previous outputs (as is the case in our work). Due 
to this omnipotent attacker, POR techniques cannot be effective in our setting unless they 
really take data into account. Further, due to the infinite nature of data, and the dynamic 


^ Although this would be an interesting question, we do not expect that any improvement of compression 
would come out of it. Indeed, compression can be argued to be maximal in terms of eliminating 
redundant traces without analyzing data: for any compressed trace there is a way to choose messages 
and modify tests to obtain a concrete execution which does not belong to the equivalence class of any 
other compressed trace. 
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extension of the attacker’s knowledge, POR and symbolic execution must be integrated 
rather than orthogonal. Our notion of independence and trace monoid are tailored to take 
all this into account, including at the level of trace equivalence (cf. again Lemma 241. And, 
although reduction is presented (Section]^ in the concrete semantics, the crucial point is that 
the authorised predicate (Definition |22[ ) is implemented as a special dependency constraint 
(Section]^ so that our POR algorithm fundamentally relies on symbolic execution. We have 
not seen such uses of POR outside of the security applications mentioned next I3S1 El- 


7.3 Security applications 

The idea of applying POR to the verification of security protocols dates back, at least, to 
the work of Clarke et al. [njE]. In this work, the authors remark that traditional POR 
techniques cannot be directly applied to security mainly because “ [they] must keep track of 
knowledge of various agents” and “[their] logic can refer to this knowledge in a meaningful 
way”. This led them to define a notion of semi-invisihle actions (output actions, that cannot 
be swapped after inputs but only before them) and design a reduction that prioritizes outputs 
and performs them in a fixed order. Compared to our work, this reduction is much weaker 
(even weaker than compression only), only handles a finite set of messages, and only focuses 
on reachability properties checking. 

In [12], the authors develop “state space reduction” techniques for the Maude-NRL 
Protocol Analyzer (Maude-NPA). This tool proceeds by backwards reachability analysis and 
treats at the same level the exploration of protocol executions and attacker’s deductions. 
Several reductions techniques are specific to this setting, and most are unrelated to partial 
order reduction in general, and to our work in particular. We note that the lazy intruder 
techniques from m should be compared to what is done in constraint resolution procedures 
{e.g., the one used in Apte) rather than to our work. A simple POR technique used in 
Maude-NPA is based on the observation that inputs can be executed in priority in the 
backwards exploration, which corresponds to the fact that we can execute outputs first in 
forward explorations. We note again that this is only one aspect of the focused strategy, and 
that it is not trivial to lift this observation from reachability to trace equivalence. Finally, a 
“transition subsumption” technique is described for Maude-NPA. While highly non-trivial 
due to the technicalities of the model, this is essentially a tabling technique rather than a 
partial order reduction. Though it does yield a significant state space reduction (as shown in 
the experiments cni) it falls short of exploiting independencies fully, and has a potentially 
high computational cost (which is not evaluated in the benchmarks of [T2]L 

In |2T], Fokkink et al. model security protocols as labeled transition systems whose states 
contain the control points of different agents as well as previously outputted messages. They 
devise some POR technique for these transition systems, where output actions are prioritized 
and performed in a fixed order. In their work, the original and reduced systems are trace 
equivalent modulo outputs (the same traces can be found after removing output actions). The 
justification for their reduction would fail in our setting, where we consider standard trace 
equivalence with observable outputs. More importantly, their requirement that a reduced 
system should be equivalent to the original one makes it impossible to swap input actions, 
and thus reductions such as the execution under focus of our compressed semantics cannot 
be used. The authors leave as future work the problem of combining their algorithm with 
symbolic executions, in order to be able to lift the restriction to a finite number of messages. 

Cremers and Mauw proposed m a reduction technique based on the sleep set idea. 
Basically, when their exploration algorithm chooses to explore a specific action (an output 
or an input with its corresponding message), it will also add all the other available actions 
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that have priority over the chosen one to the current sleep set. An action in this sleep set 
will never been explored. In this work, only reachability property are considered, and the 
reduction cannot be directly applied to trace equivalence checking. More importantly, the 
technique can only handle a finite set of messages. The authors identify as important future 
work the need to lift their method to the symbolic setting. 

Earlier work by Modersheim et al. has shown how to combine FOR technique with 
symbolic semantics m in the context of reachability properties for security protocols, 
which has led to high efficiency gains in the OFMC tool of the AVISPA platform [S]. 
While their reduction is very limited, it brings some key insight on how POR may be 
combined with symbolic execution. In a model where actions are sequences of outputs 
followed by inputs, their reduction imposes a differentiation constraint on the interleavings of 
in(c, a;).out(c, m) | ±n{d, y).out(d,m'). This constraint enforces that the symbolic interleav¬ 
ing in(d, M').out((i, w').in(c, M).out(c, w) should only be explored for instances of M that 
depend on w'. Our reduced semantics constrains patterns of arbitrary size (instead of just size 
2 diamond patterns as above) by means of the authorised predicate (Definition |22[). Moreover, 
our POR technique has beed designed to be sound and complete for trace equivalence checking 
as well. 

In a previous work [B], we settled the general ideas for the POR techniques presented 
in the present paper, but results were much weaker. That earlier work only dealt with the 
restrictive class of simple proeesses, which does not feature nested parallel composition or 
replication, and made heavy use of specific properties of processes of that class to define 
reductions and prove them correct. In the present work, we show that our two reduction 
techniques apply to a very large class of processes for reachability checking. For equivalence 
checking, we only require the semantic condition of action-determinism. Note that the results 
of the present paper are conservative over those of [B] : the reductions of [B] are obtained as 
a particular case of the results presented here in the case of simple processes. Finally, the 
present work brings a solid implementation in the state of the art tool Apte [TD], whereas [B] 
did not present experimental results — it mentioned a preliminary implementation, extending 
SPEC, which we abandoned since it was difficult to justify and handled a more restricted 
class than APTE. 

7.4 Relationship with focused proof systems 

The reader familiar with focused proof systems [5] will have recognized the strong similarities 
with our compressed semantics. The strategies are structured in the same way, around 
positive and negative phases. More deeply, the compressed semantics can actually be derived 
systematically from the focused proof system of linear logic, through an encoding of our 
processes into linear logic formulas (such that proof search corresponds to process executions). 
There are several such encodings in the literature, see for instance ESHmilH]. We do not 
provide here a fully worked-out encoding appropriate for our protocols. It is not trivial, 
notably due to the need to encode the attacker’s knowledge, and internal reductions of 
protocols — both features require slight extensions of the usual linear logic framework. We 
have thus chosen to only take the correspondence with linear logic as an intuitive guide, and 
give a self-contained (and simple) proof of completeness for our compressed semantics by 
adapting the positive trunk argument of m- Note that the strong analogies with proof 
theory only hold for reachability results, i.e., up to Lemma [T^ It is a contribution of this 
paper to observe that focusing (compression) makes sense beyond reachability, at the level of 
trace equivalence: Theorem (stating that trace equivalence coincides with compressed 
trace equivalence for action-deterministic processes) has no analogue in the proof theoretical 
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setting, where trace equivalence itself is meaningless. 

We motivated reduction by observing that (in)dependencies between blocks of the com¬ 
pressed semantics should be exploited to eliminate redundant interleavings. This same 
observation has been done in the context of linear logic focusing, and lead to the idea of 
multi-focusing [S] where independent synthetic connectives (the analogue of our blocks) 
are executed simultaneously as much as possible. That work on multi-focusing is purely 
theoretical, and it is unclear how multi-focusing could be applied effectively in proof search. 
It would be interesting to consider whether the gradual construction of unique representatives 
in our reduced semantics could be extended to the richer setting of linear logic (where proof 
search branches, unlike process executions). 
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Conclusion 


We have developed two POR techniques that are adequate for verifying reachability and 
trace equivalence properties of action-deterministic security protocols. We have effectively 
implemented them in Apte, and shown that they yield the expected, significant benefit. 

We are considering several directions for future work. Regarding the theoretical results 
presented here, the main question is whether we can get rid of the action-determinism 
condition without degrading our reductions too much. Regarding the practical application 
of our results, we can certainly go further. We first note that our compression technique 
should be applicable and useful in other verification tools, not necessarily based on symbolic 
execution. Next, we could investigate the role of the particular choice of the order to 
determine heuristics for maximising the practical impact of reduction. Finally, we plan 
to adapt our treatment of replication to bounded replication to obtain a first symmetry 
elimination scheme, which should provide a significant optimisation when studying security 
protocols with several sessions. 
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A I Annotated semantics 
A.l Reachability 

► Proposition 28. Well labelling is preserved by —>„• 

Proof. For all transitions except Par and Repl, the multiset of labels of the resulting 
configuration is a subset of labels of the original configuration. Thus, well labelling is 
obviously preserved in those cases. 

Consider now a Par transition, represented below without the permutation, which does 
not play a role here: 

([{nr=iPJ]'} W V; d>) ({[Pi]'-',..., [Pn]'-”} WP; <!>) 

We check that labels are pairwise independent. This is obviously the case for the new labels 
£ ■ i. Let us now consider a label £' from V and show that it is independent from any I ■ i. It 
cannot be equal to one of them (otherwise it would be a suffix of £, which contradicts the 
well labelling of the initial configuration) and it cannot be a strict prefix either (otherwise it 
would be a prefix of I too). Finally, I ■ i cannot be a prefix of £' because £ is not a prefix of I'. 

As far as labels are concerned, Repl transitions are a particular case of Par where there 
are only two sub-processes. Thus Repl preserves well labelling. ◄ 

► Lemma ( |11[ ). Let A be a (well labelled) configuration, a and fi be two independent labelled 
actions. We have A -^A-q A' if, and only if, A -i^a A'. 

Proof. By symmetry it is sufficient to show one implication. Assuming £i and £2 to be 
independent, we consider a transition labelled a = followed by one labelled fi = . 

We first observe that a transition labelled £i can only generate new labels that are dependent 
with £ 1 . Thus, £2 must be present in the original configuration and our execution is of the 
following form, where we write Pq, (resp. Pp) instead of [Pa]^^ (resp. [PpY^)-. 

A = (p w {P„, Pp }-$) ( 7 ? a a {Pp}- $^) (7? a p„ w Vp-, $;?) 

It remains to check that (3 can be performed by Pp in the original configuration, and that 
doing so would not prevent the a transition to happen next. The only thing that could 
prevent fi from being performed is that the frames $ and may be different, in the case 
where a is an input. In that case, the recipe independence hypothesis guarantees that /? does 
not rely on the new handle introduced by a and can thus be played with only $. Finally, 
performing a after fi is easy. We only detail the case where fi = out(c, w) and a is an input 
of recipe M. In that case we have $ 0 , = $, $^ = $ 0 , l±l {w 1 —>■ to}, and M G T(dom($)). We 
observe that M G T(dom(<I>^)) and we construct the execution: 

A= (PW{[PJP,[P^]^=};$) (PaP;3a{[Pj^i};$;3) (PWPaWP/?;^/?) 


A.2 Equivalence 

► Definition 29. Given a process P, we define the set of its enabled skeletons as 

{ {sk(P)} if P starts with an observable action 

u,{sk(p,)} ifp = n,p, 

0 if P = 0 


1^^ (f) I © David Baelde, Stephanie Delaune, and Lucca Hirschi; 

licensed under Creative Commons License CC-BY 








We may consider skeletons, labelled skeletons and enabled skeletons of a configuration by 
taking the set of the corresponding objects of all its processes. 

► Property 30. For any configurations A, A! and non-ohservable action a, if A -tfi-a A! or 
A ^ then enable(A) = enable(A'). 

► Property 31. Let A be an action-deterministic configuration and P, Q two of its processes. 
We have that enable(P) n enable((5) = 0- 

► Lemma 32. Let A be an action-deterministic configuration. If A Ai and A A 2 
for some traces tri,tr 2 such that obs(tri) = obs(tr 2 ) then enable(Ai) = enable( 2 l 2 ) and 

$(^i) = $(^2). 

Proof. We first prove a stronger result when the configurations Ai and A 2 are canonical, i.e. 
only contain processes that are neither 0 nor a parallel composition. Actually, in such a case, 
we prove that Ai = A 2 . 

To prove this intermediate result, we proceed by induction on obs(tri). The base case is 
trivial. Let us show the inductive case. We assume that tri = trfia.trf with a an observable 
action and trj” containing only non-observable actions. Since obs(tri) = obs(tr 2 ), we have 
that tr 2 = tr^.a.tr^ with tr^ containing only non-observable actions and obs(tr°) = obs(tr 2 ). 
Our given executions are thus of the form: 

At^A° Ai and A ^ A° A 2 

It may be the case that A° or are not canonical. The idea is to reorder some non¬ 
observable actions. More precisely, we perform all available non-observable actions of A^ 
and A 2 before performing a. By doing this, we do not change the observable actions of the 
different sub-traces and obtain 

A A'° Ai and A Af A 2 

with A'° and A^® canonical. By inductive hypothesis, we have that A'° = A'^. We now must 
show Ai = A 2 . By action-determinism of A, there is only one process P that can perform 
a in A'fi(= A 2 ). The resulting process P' after performing a is thus the same in the two 
executions. Since Ai and A 2 are canonical and tr'j” and tr^” contain only non-observable 
actions, Ai = A 2 . 

In order to be able to apply our previous result, we complete the executions with all 
available non-observable actions: 


A Ai ^ A[ and A -5% A2 ^ A'2 

such that Ai and A 2 are canonical and trj” and tr 2 " contain only non-observable actions. We 
also have that: 

H d)(Ai) = d)(A']^) and enable(Ai) = enable(A']^); and 
H d)(A2) = ^{A' 2 ) and enable(A2) = enable(Ay. 

We now conclude thanks to our previous result, and obtain A'^ = A '2 implying the desired 
equalities. ◄ 

► Proposition 33. Let A and B be two action-deterministic configurations such that A^e B. 
If A A' and B jg' yjith obs(tr/i) = obs(trB) then <I>(A') ~ ^{B') and enable(A') = 
enable(i 3 '). 
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Proof. By hypothesis, we know that A Ki B, and also that A A!. Moreover, the freshness 
conditions on channels («.e., bc(tr^) n fc(i3) = 0) holds as B is able to perform tr^, and tr^ 
and tr^ share the same bound channels. Hence, we know that there exist tr^ and B" such 
that 


B B", obs(trA) = obs(tr^), and ~ ^{B”). 


Now, since B is an action-deterministic configuration, applying Lemma 32 on tr^ and tr'^, 
we obtain that enable(i3') = enable(H") and ^{B') = This allows us to conclude 

that ~ 

It remains to show that enable(H') == enable(i?'). By symmetry, we only show one 
inclusion. Let G enable(H'), we shall show that Ug € enable(i3'). We deduce from the 
latter that there is a trace tr' that is either a or T.a (where a is an observable action whose 
the skeleton is ag) such that 

H T' ^ Ho 

for some Aq. Since A Ki B, we know that there exist trp, tr', Bq, and B' such that 

B^B'o^ Bo 


with d’(Ho) ~ $(^ 30 ) and obs(tr^) = obs(tro) and obs(tr') = a. we have that a G enable(Bo). 
In particular, using Property [M| we have that as G enable(HQ). 

Now, since B is an action-deterministic configuration, applying Lemma 32 on tr^ and trp 
we obtain enable(i?') = enable(i3Q), and thus as G enable(B'). ◄ 


► Proposition 34. Let A be an action-deterministic configuration and P,Q two of its 
processes. //enable(P) = enable(Q) then sk{P) = sk(Q). 

Proof. Let us show that sk(P) = sk((3). If enable(P) is an empty set then P = 0 and thus 
from enable((5) = 0 we deduce that Q = 0 as well implying the required equality on skeletons. 
If enable(P) is a singleton then it must be {sk(P)} — we cannot be in the case where P is a 
parallel composition, for in that case there would be at least two skeletons in enable(P) by 
action-determinism of A. The same goes with Q thus we have {sk(P)} = {sk((5)}. Finally, 
if enable(P) contains at least two skeletons then it must be the case that P is a parallel 
composition of the form H^P^ and enable(P) = Ui{sk(Pi)}. Similarly, Q must be of the form 
AiQi and enable((5) = Ui{sk(Qi)}. Here, we make use of action-determinism to obtain that 
the number of subprocesses in parallel is the same as the cardinality of the sets of skeletons, 
and thus the same for P and Q: indeed, no two parallel subprocesses can have the same 
skeleton. We conclude that sk(P) = par(5') where S is the ordered sequence of skeletons 
from Ui{sk(Pi)}, and sk(Q) = par(5') where S is the ordered sequence of skeletons from 
Uj{sk(Qi)} = Ui{sk(Pi)}. ◄ 


► Lemma ( |13| ). Let A and B be two action-deterministic configurations such that A 
and ski (A) = skl(P). For any execution 


A 



^ ^ a 



with bc(Q;i.... an) H fc(P) = 0, there exists an execution 


B 



la2]‘^ 


a 


~^a Bn 


B 


such that ^ ^{Bi) and skl(74i) = skl(^i) for any 1 < i < n. 
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Proof. We show this result by induction on the length of the derivation A The case 

where tr is empty {i.e., no action even a non-observable one) is obvious. Assume that we 
have proved such a result for all the executions of length n, and we want to establish the 
result for an execution of length n -I- 1. 

Consider an execution of [aiY^ ... from A to followed by towards 

By induction hypothesis, we know that there exists an execution 

B Bi -1^ ... Bn 

such that $(A„) ^ $(i?n) and skl(Ai) = skl(i3i) for any 1 < t < n. It remains to establish that 
there exists Bn+i such that Bn can perform towards Bn+i, ^(An+i) ~ ^(Bn+i) 

and skl(A„+i) = skl(i?„+i). We distinguish several cases depending on the action a„+i. 

Case an+i = zero. We have that [zero]^"+i € skl(A„), and thus, since skl(A„) = skl(B„), 
we have also that [zero]^"+i G sk(i?„). We deduce that An = ({[0]^"+^} W 7^o;‘ho), and 
B„ = ({[0]^"+^} l±l Qo; ^o) for some Vo, Qo, ‘ho, and Tq. Moreover, since skl(A„) = skl(i3„), 
we deduce that skl(T’o) = skl(Qo)- Let Bn+i = (Qo; 'I'o)- We have that: 

- = ({[0]^’'+^} W Qo; 'ho) (Qo; To) = Bn+i, 

. T(A„+i) = T(A„) ~ T(B„) = T(B„+i), and 
■ skl(A„+i) = skl(75o) = skl(Qo) = skl(B„+i). 

Case an+i = par(S') for some sequence S = (/3i,...,/3fc). Note that this sequence is 
ordered according to our order < over skeletons (i.e., /?!<...< Pk) and Pfs are pairwise 
distinct by action-determinism of A. We have [par(S')]^"+‘ G skl(A„), and thus, since 
skl(A„) = skl(i3„), we have also that [par(S')]^’*+i G skl(i3„). A„ = WT^q; ‘ho), 

l±i,^^iSk(Pi) = {^ 1 , ...,Pk} and W Qo; Tq) for some Pi, Qi, Vo, Qo, ‘ho, 

and To. Further, we have 

An+I = w Vo; ‘ho) 

for some permutation tt over [l;/c] such that sk(Pn.(i)) = A for all i. Moreover, since 
skl(A„) = skl(i3„), we deduce that skl(Po) = skl(Qo), and 

{sk(Pi) \ l<i<k} = {sk(Qj) | 1 < i < A:} = {A, ■ ■ ■, A} 

Remark that, since Pi (resp. Qi) cannot be a zero or a parallel we have that enable(Pi) = 
{sk(Pi)} (resp. enable(Qi) = {sk(Qi)}) and those sets are singletons. Moreover, by action- 
determinism of A and B we know that all those singletons are pairwise disjoint. From this, 
we conclude that there exists a permutation tt' over [1; k] such that 

Vi, sk(Q.„./^jj) Pi sk(P„.p^) 


and thus 

Vz, skl([Q^,(q]^"+“)=skl([P^(q]fo+‘') 

We can finally let P„+i be W Qo; 'ho) and we have: 

- p„ = ({[ntiQ,]fo+'} w Qo; To) « 2o; 'ho) = Bn+I, 

. T(A„+i) = T(A„) - T(P„) = T(P„+i), and 

. skl(A„+i) = skl(Po) W l±Jtiskl([P,p)]^-+“) 

= skl(Qo) a l±JtiSkl([Q^,p)]fo+“)=skl(P„+i). 
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Case a„+i = in{c,M) for some c, and M with M € T(dom(<i>(^„)). We have that 
[inc]^"+^ G skl(A„), and thus, since skl(A„) = skl(B„), we have [inc]^"+^ G skl(i?„). We 
deduce that = ({[in(c, 0 ;^)-?]^’'+^} W'Poi ^’o), and = ({[in(c, a;B)-Q]^"+4^ Qo; ^ 0 ) for 
some xa, xb, P, Q, 'Po, Qo, d>o, and d/Q- Since Ath B and thus dom((f>(A)) = dom(<i>(i?)), 
we have that dom(<i>o) = dom(d>o). Moreover, since skl(A„) = skl(_B„), we deduce that 
skl(Po) = skl(Qo)- Let i?„+i = {[Q{ub/xb}Y"^^^ taQo;'f'o) where ub = M'ifo. We have that: 

- Pn > Br^+u and 

- $(Gl„+i) = ~ $(S„) = $(B„+i). 

It remains to show that skl(A„+i) = skl(_B„+i). Since we have that skl(Po) = skl(Qo), and 
the label of the new subprocess is the same (namely, ^n+l) on both sides, we only need to 
show that: 


sk{P{M<^o/xA}) = sk{Q{M'l!o/xB}) 


In order to improve the readability, we will note P' = P{M^q/xa\ and Q' = Q{M'^q/xb}- 
We have that A and B are two action-deterministic configurations such that A th B. 
Moreover, they perform the same trace, respectively towards An+i and Thus, 

thanks to Proposition]^ we deduce that enable(Gl„+i) = enable(i?„+i). Moreover, our 
hypothesis skl(Po) = skl(Qo) implies that enable(Po) = enable(Qo), and thus we de¬ 
duce that enable(P') = enable(Q') (recall that by action-determinism, unions of the form 
enable(A„_|_i) = enable(Po) U enable(P') are actually disjoint unions). We conclude using 
Proposition [34] 


Case an+i = out(c, w) for some c and some w with w ^ dom(<I>(A„)). This case is similar 
to the previous one. However, during such a step, the frame of each configuration is enriched, 
and thus the fact that <I>(T„+i) ~ ^{Bn+i) is now a consequence of Proposition 33 


Case a„+i = sess(a. If) for some a, and some If. Firstly, we show for later that If are 

fresh in i?„. Indeed, we deduce from bc(ai_ ctn+i) H fo(P) = 0 that If are fresh in B and 

we know that free channels of are included in fc(i?) U bc(ai.... q:„). Thereby, if there 
was a channel Ci G cf H fc(i?n) it would be in bc(ai.... «„) but this is forbidden because of 
the freshness condition (in the current trace) over channels, i.e., new channels cannot be 
introduced twice (once in ai.... a„ and once in On+i)- 
As before, we obtain 


^n = ({[!“^.^r?Pf"+^}WPo;d>o) and = ({[!'k_^Q]W} w Qo;'I'o) 

for some P, Q, Vq, Qo, d>o, and Tg. Moreover, since skl(A„) = skl(P„), we deduce that 
skl(Po)=skl(Qo). 

We have 

A„ + l = ({[P]'" + ^\ [!^ + y 

Accordingly, let us pose 

p„+i = ({[g]'"+^\ y 

We have that: 

- Pn 

. $(A„+i) = $(A„) ^ $(P„) = $(P„+i). 

It remains to show that skl(A„+i) = skl(P„+i). Since we have that skl(Po) = skl(Qo), and 
since the labels of corresponding subprocesses are the same on both sides, we only need to 
show that: 
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H sk(P) = sk(Q) and 
. sk(!“^,^P) = sk(!“^,^Q) 

As in the previous case, thanks to Proposition we know that enable(A„+i) = 
enable(i?„+i), and we deduce that enable(P) = enable(Q) and enable(!^ = enable(!^ ^Q)i 
which allows us to conclude using Proposition ◄ 

Finally, we can define the annotated trace equivalence and show that, for action-deterministic 
configurations, it coincides with trace equivalence. 

► Definition 35. Let A and B be two configurations. We have that B if, for every A' 
such that A A' with bc(tr) n fc(P) = 0, then there exists B' such that B B', and 
<i> ^ dr. They are in annotated trace equivalence, denoted A B, if A Qa B and B Cq A. 

► Lemma 36. Let A and B be two action-deterministic configurations such that skl(A) = 
skl(P). 

Ak, B if, and only if, A B 


Proof. Firstly, A B trivially implies Aps B. For the other direction, we use Lemma [T^ to 
conclude. ◄ 


I B I Compression 
B.l Reachability 

► Lemma ( |16| ). Let A, A' he two configurations and tr be such that A A! is complete. 
There exists a trace trc, such that [trcj can he obtained from tr by swapping independent 
labelled actions, and [A] |"A']. 

Proof. Let A = {V\ d>) be a configuration and (P; $) A' a complete execution. We 
proceed by induction on the length of tr, distinguishing two cases. 

Case 1. We first consider the case where there is at least one process in V that is negative 
and non-replicated. Since we are considering a complete execution, at least one negative 
action a is performed on this process in tr. This action may be an output, the decomposition 
of a parallel composition, or the removal of a zero. If there are more than one such action, 
we choose the one that can be performed using Neg, i.e., the one that is minimal according 
to our arbitrary order on labelled skeletons. Since our action can be performed initially by 
our process, and by well-labelling, the label of the action is independent with all labels of 
previously executed actions in tr. Moreover, there cannot be any second-order dependency 
between a and one of those actions. Indeed, if a is an output, no input performed before a is 
able to use the handle of a. It can thus be swapped before all the others by using Lemma [m 
obtaining an execution of trace a.tr' ending in the same configuration A'. The rule Neg 
can be performed in the compressed semantics to trigger the action a, and by induction 
hypothesis on tr' we can complete our compressed execution towards A'. 

Case 2. Otherwise, when V contains only positive or replicated processes, we must choose 
one process to focus on, start a positive phase and execute all its actions until we can finally 
release the focus. As long as all processes are positive or replicated, only input or session 
actions can be performed. In either case, the action yields a new process (the continuation 
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of the input, or the new session) which may be negative or positive. We define the positive 
prefix of our execution as the prefix of actions for which all but the last transition yield a 
positive process. It is guaranteed to exist because A' contains only negative processes. 

The positive prefix is composed only of input and replication actions. Because session 
actions are performed by negative processes, and no new negative process is created in 
the positive prefix, session actions can be permuted at the beginning of the prefix thanks 
to Lemma 11 Thus, we assume without loss of generality that the prefix is composed of 
session actions, followed by input actions: we write tr = tri.trjn.tro. In the portion of the 
execution where inputs of tri„ are performed, there is an obvious bijective mapping between 
the processes of any configuration and its successor, allowing us to follow execution threads, 
and to freely permute inputs pertaining to different threads. Such permutations are made 
possible by Lemma 11 Indeed, they concern actions that are (i) sequentially independent {i.e., 
labels are independent) since two different threads involve actions performed by processes in 
parallel and (ii) recipe independent since there is no output action in trin. 

The last action of the positive prefix releases a negative process P~. Let P be its antecedent 
(trough its corresponding thread) in the configuration obtained after the execution of tri. We 
have that: 


A = (P; $) (Pi a {P}; $) (P2 a {p-}; $) A' 

Now we can write P — Pg tit {Tf} where Pf is either P or a replicated process that gives rise 
to P in one transition. By permuting actions pertaining to Pf before all others thanks to 
Lemma El and previous remarks, we obtain an execution of the form 

A = (Po W {Pf}; <!>) {Vo w {P~}; ‘J’) {V2 tit {P-}; d>) 

where tr1.tr2.tro is a permutation of tr of independent labelled actions, tri = [aj^.tr'i, and 
Pq = Pq when Pf = P, and Pg = Potit {Pf} otherwise. 

In the compressed semantics, if we initiate a focus on Pf we can execute the actions of tri 
and release the focus when reaching P“, i.e., we have that (where I' is the label of P“): 

(P; 0 ;$) (Po; {Vg w {P-}; 0;^). 

We can conclude by induction hypothesis on tr 2 .tro. ◄ 


B.2 Equivalence 

We prove below the two implications of Theorem dealing first with soundness and then 
with the more involved completeness result. 


► Lemma 37 (Soundness). Let A and B be action-deterministic configurations such that 
skl(A) = skl(P). We have that Ak. B implies [A] [^ 1 - 

Proof. By symmetry it suffices to show [A] \B~\. Consider an execution [A] -lt>c A' 

such that bc(tr) n fc(P) = 0. Thanks to Lemma [T^ we know that A L^^J- Let 

[trj = [aiY^ ... and we denote Ai, ..., A„ the intermediate configurations that are 

reached during this execution. We have that: 

Ao = A Ai A„ = (P; <i>^). 


Applying Lemma 13 we deduce that B can perform a very similar execution (same labels, 
same actions), i.e., 

Bg = B Pi = (Q; $b). 
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with ~ ^{Bi) and skl(Ai) = skl(i?i) for 0 < i < n. 

Due to this strong symmetry, we are sure that \B'] will be able to do this execution in 
the compressed semantics. In particular, the fact that a given configuration Bi can start 
a positive phase or has to release the focus is determined by the set skl(Bi) = skl(Ai) and 
the fact that it can keep the focus on a specific process while performing positive actions 
can be deduce from labels of tr. Finally, we have shown that if Ai can execute an action 
a using Neg rule then Bi can as well. The only missing part is about the fact that Neg 
has been made non-branching using an arbitrary order on labelled skeletons. Let say we 
can use Neg only for actions whose skeleton is minimal among others skeletons of available, 
negative actions. Using skl(Ai) = skl(ili), we easily show that this is symmetric for Ai 
and Bi. This way, we obtain an execution [B] B' with \B'\ = i?„. Finally, we have 
~ <1)^ = <i)(A'). ◄ 

► Lemma 38. Let A and B be two action-deterministic configurations such that Ap^c B. If 
A -Ibc A! and B -^bc B' for a labelled trace tr then A' B'. 

Proof. We assume A B, A -^bc A' and B -^bc B' for a labelled trace tr = ai. .. .an. 
We shall prove A' B'. By symmetry, we show one inclusion. Consider an execution 
A' A 2 such that bc(tr 2 ) H fc(i?') = 0. Let us construct an execution B' B 2 such 
that $(^ 2 ) ~ ^{B 2 ). Firstly, remark that since B -^bc B'., we have that bc(tr) n fc(i?) = 0. 
In order to exploit our hypothesis A B, we shall prove that bc(tr.tr 2 ) nfc(B) = 0. All that 
remains to show is bc(tr 2 ) H (fc(i3)\fc(i?')) = 0. This is implied by the fact that channels in 
fc(B)\fc(i?') must occur in tr as bound channels and, because of the execution A A 2 , 

those channels cannot appear in the set bc(tr 2 ). 

We have that A A 2 and thus by hypothesis, B B 2 with <I>(i? 2 ) ~ d>(A 2 ). 

Since there can be at most one process in B that has a label that matches the label of oi, 
there is at most one configuration Bi that satisfies B Bi. By iteration, we obtain the 
unicity of the configuration B' satisfying B -^bc B'. We thus have obtained the required 
execution B' B 2 . ◄ 


► Lemma 39. Let A and B be two action-deterministic configurations. If for any complete 
execution A -^ba A' with bc(tr)nfc(B) = 0, there exists a trace tr' and an execution B B' 
such that <I>(A') ^ ^{B'), then A Qa B. 

Proof. Let A ^0 be an execution of A with bc(tro) H fc(i?) = 0. Firstly, we complete the 
latter execution in an arbitrary way A *i°'*ib a A! such that any process of A is replicated 
and bc(tro.tri) n fc(B) = 0 (it suffices to choose fresh channels for B as well). By hypothesis, 
there exists an execution B *'’"'*^'b a B' such that (1)(A') ~ ^{B'). The latter execution of B 
is thus of the form B Bq B' . It remains to show that d>(Ao) ~ <I>(Bo). For the 
sake of contradiction, we assume that d)(i?o) ~ d)(Ao) does not hold. In other words, there 
is a test of equality over dom(<i>(i3o)) that holds for <l>(Ao) and does not for ^{Bq) (or the 
converse). Since dom(<l>(ilo)) C dom(<I>(B')) = dom(<l>(A')), this same test can be used to 
conclude that <I>(A') ~ <I>(B') does not hold as well leading to an absurd conclusion. ◄ 


► Lemma 40 (Completeness). Let A and B be two action-deterministic configurations 
satisfying skl(A) = skl(i 3 ). Then [A] \B'\ implies Ak, B. 


Proof. Assume [AJ > thanks to Lemma 36 it suffices to show A B. Let us 

show the following intermediate result: for any complete execution A -^ba A' such that 
bc(tr) n fc(B) = 0, there is an execution B -^ba B' such that <I>(A') ^ <I>(i3'). Thanks to 
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Lemma and by symmetry of this intermediate result implies the required conclusion 
B. 


Let A -Iba A' be a complete execution with bc(tr) n fc(i3) = 0 . We thus have that A' is 
initial. Applying the Lemma 16 we obtain a trace trc such that \A\ \A'^ and [trcj can 

be obtained from tr by swapping independent actions. Since we have [A] deduce 

that \B'\ \B'^ with $(A') ~ $( 5 '). Lemma 15 gives us B B'. We can now apply 

Lemma [TTl to obtain B B' and conclude. ◄ 


c 


Reduction 


C.l Reachability 

► Lemma ( [?l| ). Let A and A' be two initial configurations such that A Ibc A'. We have that 
A l 4 c A' for any tr' =$(a') tr. 


Proof. Thanks to Lemma 15 we have that [AJ (fP',^). We first prove that tr' can 

be performed using —>-a. For this, it suffices to establish the implication for each of the 
two generators of =$. The first case is given by Lemma El The second one is a common 
property of (derivatives of) the applied 7 r-calculus that follows from a simple observation 
of the transition rules. Finally, we must prove that tr' can be played using —>-c. Thanks to 
initiality of A and ( 7 ^; 0; $) we know that each block of tr starts when the configuration 
is initial and after performing it we get another initial configuration. This is still true in 
[AJ ("P; $). Finally, labels of blocks of tr' ensures that a single process is used in a 

positive part of any block. Having proving those two facts, we can easily show that each 
block of tr' can be performed using —>-c. ◄ 


For the sake of readability of the following proofs, we now introduce some notations 
(where 6i, 62 are two blocks and is a frame): 

H we note bi ||* 62 when bi and 62 are sequentially independent {i.e., for any ai € bi and 
02 G &2) and 02 are sequentially independent); 

B we note 61 ||'^ 62 when bi and 62 are recipe independent {i.e., for any oi G 61 and 02 G 52, 
oi and 02 are recipe independent); 

B for two traces tr = 61 ... and tr' = b\ .. .b'^, we note (tr =e tr')<I> when n = m and for 
all i G [l;n], {bi =e 5 ')$. 


► Remark. Let A -lt>c A' be any compressed execution. If 61 and 62 are two blocks of tr and 
oi (resp. 02) is the first labelled action of 5 i (resp. 62) we have the following: 


5i 


62 Oi is sequentially independent with 02- 


This is implied by the fact that for any other action a[ of 5 i, its label has the label of ai as 
a prefix. 


► Lemma ( 24 ). Let A be an initial configuration and A' = (P;0;$) be a configuration such 
that A -Ibc A'. We have that tr is ^-minimal if, and only if, A A'. 


Proof. Let A and {V; 0; d)) be two configurations such that A -^bc (P; 0 ; d)). 

(= 4 >) We first show that if tr is <I>-minimal, then A -^br (P; 0 ;‘I’) by induction on the 
trace tr. The base case, i.e., tr = e is straightforward. Now, assume that tr = tro.6 for 
some block b and A (Po; 0 ; ‘I’o) A-c A'. Since tr is <I>-minimal, we also have that trp 

is <I>o-minimal and thus we obtain by induction hypothesis that A (Po; 0 ;‘I’o)- To 
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conclude, it remains to show that tro b' for any b' such that {b' =e 6)$o- Assume that it is 
not the case, this means that for some b' such that (6 =e 6')$o, the trace tro can be written 
tro.6o. bn with: 

bi I b' and bi b' for any j > 0, as well as bo || b' and b' < bo- 

Let tr' = trQ.b'.bo .. .bn- We have tr' ^lex tr and tr' =$ tro.6', which contradicts the <h- 
minimality of tr. 

(<^=) Now, we assume that tr is not ^-minimal, and we want to establish that tr cannot be 
executed in the reduced semantics. Let tr^ be the <I>-minimal trace of the equivalence class 
of tr. We have in particular tr^ =$ tr and tr^ ^lex tr. Now, we let tr^ (resp. tr^) be the 
“trace of labelled skeletons” associated to tr^ (resp. tr). Let trg be the longest common prefix 
of tr^ and tr® and tro (resp. trg) be the corresponding prefix of tr (resp. tr^). We have a 
decomposition of the form tr = tro.6.tri and tr^ = tr'Q.bm-^f'i ^ith (tro =e tro)<I> and bm -< b. 
Again, since when dropping recipes, the relation =$ only swaps sequentially independent 
labelled skeletons, block bm must have a counterpart in tr and, more precisely, in tri. We 
thus have a more precise decomposition of tr: tr — tro.6.trii.&(„.tri2 such that {b'm —e &m)d>. 

We now show that cannot be executed after tro.fe.trn in the reduced semantics 
(assuming that the trace has been executed so far in the reduced semantics). In other words, 
we show that tro.fe.trn > does not hold. We have seen that (6(^ =e &m)^ and bm ^ b so it 
suffices to show: 


bm II bi for any b^ G b.trn 

First, we prove bi bm (*.e., they are recipe independent) for any bi G fo.tru. This 
comes from the fact that tfQ.bm-tr'i = tr^ is plausible, and thus the inputs of bm only use 
handles introduced in tr), which are the same as those introduced in tro. hr particular, the 
inputs of bm do not rely on the handles introduced in fe.tru. Similarly, using the fact that 
tro.&.trii.6(x,.tri2 = tr is plausible and b'm = 6^, we deduce that handles of outputs of bm are 
not used in b.tru. 

Second, we show that bi ||® bm {i.e., they are sequentially independent) for any bi G b.tru. 
For this, we remark that for any traces tri.6.tr2 =$ tr^&'.tr^ such that (6 =e have that 

b W'' bs for all bs G skl(trj)\skl(tri) where skl(tr) is the multiset of labelled skeletons of blocks 
of tr, and \ should be read as multiset subtraction. This can be easily shown by induction 
on the relation =$. By applying this helping remark to tro.b'^.tr'2 =$ tro.6.trii.&(„.tri2, we 
obtain the required conclusion: b'.^ ||® b.tru and thus bm I* ^-trn. ◄ 


C.2 Equivalence 

► Proposition 41. For any static equivalent frames $ ~ d/ and compressed traces tr and tr', 
we have that tr =$ tr' if, and only if, tr tr'. 

Proof. The two implications are symmetric, we thus only show one implication. Considering 
the two generators of =$, the only non-trivial step is to show that tr.6i.tr' tr.62.tr' when 
(61 =E 62)$. But the latter condition, together with $ ~ yields (61 =e 62)'!' which allows 
us to conclude. ◄ 

► Lemma 42. Let A and B be two action-deterministic configurations. If for any complete 

execution of the form A with bc(tr) n fc(i 3 ) = 0 , there exists an execution 

B -^c (Q; 0; 'k) such that <i> ~ 'k, then A B. 
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Proof. Let A and B be two action-deterministic configurations, and assume that for any 
complete execution A with bc(tr) n fc(i?) = 0, there exists an execution 

B -^c (Q; 0; 'h) such that d) ~ dt. Now, we have to establish that A Qc B. 

Let {V; 0; $') be a configuration such that A {V; 0; $'). First, we can complete 
this execution to reach a process (7^; 0; d)) such that each process P G V is replicated, i.e., 

A -^c i'P'', 0; ‘J’O -^c {'P', 0; *&) is a complete execution. 


Without loss of generality, we can choose tr+ so that it satisfies bc(tr+) n fc(B) = 0. By 


hypothesis, we know that there exists an execution B - (Q; 0; dt) such that $ ~ dt. Let 

B' be the configuration reached along this execution after the execution of tr' and its 
frame. Similarly to the proof of Lemma 39 we prove that <1) ~ vk implies ~ 'k'. ◄ 


► Theorem (26|. Let A and B be two initial, action-deterministic configurations. 

A‘. 


B 


B if, and only if, A 
Proof. We prove the two directions separately. 

(^) A Qc B implies A B. Consider an execution of the form A -lt> 


{P-, 0; $) with 


bc(tr) n fc(i3) = 0. Using Lemma 23 we know that A i'P', 0; ‘k), and Lemma 24 tells us 
that tr is <i)-minimal. Since A Qc B, we deduce that there exists (Q; 0; dt) such that: 


B 


(Q;0;4') and ~ 4'. 


Now, by Proposition [41] we obtain that tr is also 4'-minimal, and so Lemma “M tells us that 
the execution of tr by B can also be performed in the reduced semantics. 


(<t=) A Qr B implies A B. Relying on Lemma 42, it is actually sufficient to show that 
for any complete execution A {P', 0; ‘k) = A' with bc(tr) n fc(i3) = 0, there exists an 
execution of the form B -l4c (Q; 0; dt) such that <k ^ dr. Note that since the given execution 
is complete, we have that A' is initial. Let tr' be a <k-minimal trace in the equivalence class 
of tr. We have that A executes tr' in the reduced semantics, and so for some B' we have 


B 


tr'. 


B' and 4>(R') - $. 


Using Lemma 
Proposition |41 


23j we obtain the same execution in the compressed semantics. Finally, by 
we obtain tr' =$(b/) tr, and by Lemma 


21 


we obtain: 


B 


B' and 4>(B') - $ 




D I Optimization for improper blocks 

Between any two initial configurations, the compressed as well as the reduced semantics 
execute a sequence of actions of the form of the form foc(Q;).tr+.rel.tr“ where tr+ is a 
(possibly empty) sequence of input actions, whereas tr“ is a (non-empty) sequence of out, 
par, and zero actions. Such sequences are called blocks. Now, we also make a distinction 
between blocks having a null negative phase {i.e., tr“ = zero), and the others. The former 
are called improper blocks whereas the latter are called proper blocks. Finally, we say that a 
trace is proper if it contains at most one improper block and only at the end of the trace. 

The idea is that, when checking trace equivalence, we do not have to consider all possible 
traces but we can actually restrict to proper ones. We present below an improved version of 
the notions of compressed and reduced equivalence. 
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D.l Compression 

► Definition 43. Let A and B be two configurations. We have that A Ec+. B if, for every 
A' such that A and bc(tr) n fc(i 3 ) = 0 for some proper tr, there exists B' such that 

B B' with ~ ^{B'). We write A ^c+i B, if A 'Ac+i B and B A. 

Operationally, we can obtain «c+i by adding a case to the Release rule (and constraining 
the former rule to not apply in that case): 


Release^ {V] [0]^; 4>) (0; 0; 4*) 

This rule discards exactly the traces containing an improper block that is not at the end: 
note that having 0 under focus implies that the negative part of the block will be restricted 
to zero. This is because no negative actions was available before performing this block and 
consequently there can only be a zero in the negative part of the block. 

► Proposition 44. Let A and B be two initial action-deterministic configurations. 

Ak.^B if, and only, if A «c+i B 

Proof. The (=>) direction is trivial. We focus on the other one. Assume that A Qc+i B. Let 
A' be such that A A' for some tr such that bc(tr) n fc(i?) = 0. Let bi, ... ,bk be the 
improper blocks that occur in tr. We have that bi, ... ,bk are pairwise independent. Moreover, 

we have that there exists tr' made of proper blocks such that tr'.6i. bk is obtained from tr 

by swapping independent blocks, and thus we have that A A' . There exist initial 

configurations Aq, Ai,..., such that A -^A-c Aq, and 

Aq -^c Ai, Aq -^c A 2 , . . . , Aq -^c Afc. 

Thanks to our hypothesis, we deduce that there exist configurations Bq, Bi, ..., Bk such 
that B Bq with 4)(Ao) ~ 4)(Ro)j and 

Bq Bi, Bq B2, ... ,Bq Bk. 

We have also that 4>(Ao) ~ ^{Bq). Since blocks bi,...,bk are pairwise independent, we 
deduce that there exist B' such that B Bq B' with <l>(i?') = ^{Bq). Then, 

permutations of blocks can be undone to retrieve tr (since swapping have been done between 
independent blocks). ◄ 


D.2 Reduction 

► Definition 45. Let A and B be two configurations. We have that A B if, for every 
A' such that A -lb,- A' and bc(tr) n fc(R) = 0 for some proper tr, there exists B' such that 
B -Ibr B' with <i)(A') ~ ^{B'). We write A B, if A Cr+i B and B Cr+i A. 

► Proposition 46. Let A and B be two initial action-deterministic configurations. 


A B if, and only, if, A B 


Proof. The (=i>) direction is trivial. We focus on the other one. Assume that A Cr-+i B. Let 
A' be such that A -^br A! for some tr such that bc(tr) n fc(i 3 ) = 0. Lemma 23 tells us that 
A -^bc A', and thanks to Lemma 24 we have that tr is <i)(A')-minimal. 
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Let bi,...,bk be the improper blocks that occur in tr. We have that there exist 
trojtri, ... ,trfc made of proper blocks such that tr = tro.&i.tri. 62 ... .trfc_i. 6 fc.trfc. We have 
that bi,... ,bk are pairwise independent, and also: 


tr =$(A') tro.tri .. .trfc. 6 i. 6 fc 


Because there are no dependencies between bi and tr^ for i < j, and because the bi do 
not have any output, we have that A . >lo) and also that: 

A Ai, A A 2 , ...,A . ylfc. 


Thanks to our hypothesis, we deduce that there exist Bq, Bi,..., Bk such that B 
Bq with d>(Ao) ~ ^{Bq), and also that: 


B Bi, B B 2 , ...,B Bk 


We deduce that there exists B' such that B ko-ai....trt.6i... ]\[gj(-t, we observe that 

<h(W) = <h(Ao) ~ $(^0) = d>(i?'). From this we conclude tr =$(b') trp.tri.. .trfc.6i.6fc, 

hence B -^bc B'. Since tr is $(A')-minimal it is also <i>(i3')-minimal, and thus B B' by 
Lemma ◄ 
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